[minor] Support setting "default CA trust" during install

docs/commands/install.md

@@ -30,6 +30,7 @@ Usage
 ### Advanced MAS Configuration (Optional):
 - `--additional-configs LOCAL_MAS_CONFIG_DIR`         Path to a directory containing additional configuration files to be applied
 - `--non-prod`                                        Install MAS in Non-production mode
+- `--mas-trust-default-cas MAS_TRUST_DEFAULT_CAS`     Trust certificates signed by well-known CAs
 
 ### Maximo Application Suite Core Platform (Required):
 - `--mas-channel MAS_CHANNEL`                                    Subscription channel for the Core Platform
@@ -179,7 +180,7 @@ Select the applications that you would like to install. Note that some applicati
 - Assist and Predict are only available for install if Monitor is selected
 
 
-### Step 9. Configure Datbases
+### Step 9. Configure Databases
 If you have selected one or more applications that require a JDBC datasource (IoT, Manage, Monitor, & Predict) you must choose how to provide that dependency:
 
 - Use the IBM Db2 Universal Operator
@@ -191,14 +192,20 @@ If you choose the latter then you will be prompted to select a local directory w
     If you have already generated the configuration file (manually, or using the install previously) the CLI will detect this and prompt whether you wish to re-use the existing configuration, or generate a new one.
 
 
-### Step 10. Additional Configurations
+### Step 10. Configure Turbonomic
+Additional resource definitions can be applied to the OpenShift Cluster during the MAS configuration step, here you will be asked whether you wish to provide any additional configurations and if you do in what directory they reside.
+
+!!! note
+    If you provided one or more JDBC configurations in step 9 then additional configurations will already be enabled and be pointing at the directory you chose for the JDBC configurations.
+
+### Step 11. Additional Configurations
 Additional resource definitions can be applied to the OpenShift Cluster during the MAS configuration step, here you will be asked whether you wish to provide any additional configurations and if you do in what directory they reside.
 
 !!! note
     If you provided one or more JDBC configurations in step 9 then additional configurations will already be enabled and be pointing at the directory you chose for the JDBC configurations.
 
 
-### Step 11. Configure Storage Class Usage
+### Step 12. Configure Storage Class Usage
 MAS requires both a `ReadWriteMany` and a `ReadWriteOnce` capable storage class to be available in the cluster.  The installer has the ability to recognize certain storage class providers and will default to the most appropriate storage class in these cases:
 
 - IBMCloud Storage (`ibmc-block-gold` & `ibmc-file-gold`)
@@ -214,7 +221,7 @@ When selecting storage classes you will be presented with a list of available st
     Unfortunately there is no way for the install to verify that the storage class selected actually supports the appropriate access mode, refer to the documention from the storage class provider to determine whetheryour storage class supports `ReadWriteOnce` and/or `ReadWriteMany`.
 
 
-### Step 12. Advanced Settings
+### Step 13. Advanced Settings
 These settings can generally be ignored for most installations.
 
 #### Change Cluster monitoring storage defaults?
@@ -224,25 +231,25 @@ Answering "y" at the prompt will allow you to customize the storage capacity and
 Answering "y" will allow you to customise the namespace where Db2, Grafana, and MongoDb are installed in the cluster.
 
 
-### Step 13. Configure IBM Container Registry
+### Step 15. Configure IBM Container Registry
 Provide your IBM entitlement key.  If you have set the `IBM_ENTITLEMENT_KEY` environment variable then you will first be prompted whether you just want to re-use the saved entitlement key.
 
 
-### Step 14. Configure Product License
+### Step 16. Configure Product License
 Provide your license ID and the location of your license file.
 
 
-### Step 15. Configure UDS
+### Step 19. Configure UDS
 Maximo Application Suite's required integration with IBM User Data Services requires your e-mail address and first/last name be provided.
 
 
-### Step 16. Prepare Installation
+### Step 20. Prepare Installation
 No input is required here, the install will prepare the namespace where install will be executed on the cluster and validate that the CLI container image (which will perform the installation) is accessible from your cluster.
 
 !!! note
     For disconnected installations you may need to provide the digest of the ibmmas/cli container image.
 
-### Step 17. Review Settings
+### Step 21. Review Settings
 A summary of all your choices will be presented and you will be prompted to provide a final confirmation as to whether to proceed with the install, or abort.
 
 

image/cli/mascli/functions/install

@@ -31,7 +31,8 @@ Maximo Application Suite Instance (Required):
 
 Advanced MAS Configuration (Optional):
       --additional-configs ${COLOR_YELLOW}LOCAL_MAS_CONFIG_DIR${TEXT_RESET}                    Path to a directory containing additional configuration files to be applied
-      --non-prod                                                   Install MAS in Non-production mode
+      --non-prod                                                                               Install MAS in Non-production mode
+      --mas-trust-default-cas ${COLOR_YELLOW}MAS_TRUST_DEFAULT_CAS${COLOR_YELLOW}              Trust certificates signed by well-known CAs
 
 Maximo Application Suite Core Platform (Required):
       --mas-channel ${COLOR_YELLOW}MAS_CHANNEL${TEXT_RESET}                                    Subscription channel for the Core Platform
@@ -153,6 +154,9 @@ function install_noninteractive() {
     export USE_NON_PROD_MODE=true
     export MAS_ANNOTATIONS="mas.ibm.com/operationalMode=nonproduction"
     ;;
+    --mas-trust-default-cas)
+    export MAS_TRUST_DEFAULT_CAS=$1 && shift
+    ;;
 
     # Core
     --mas-channel)

image/cli/mascli/functions/pipeline_config_advanced

@@ -20,6 +20,9 @@ function config_pipeline_advanced() {
       prompt_for_input "+ Grafana Namespace" GRAFANA_NAMESPACE "grafana"
       prompt_for_input "+ MongoDB Namespace" MONGODB_NAMESPACE "mongoce"
     fi
+    echo
+
+    prompt_for_confirm_default_yes "Trust Default CAs?" MAS_TRUST_DEFAULT_CAS
 
   fi
 }

image/cli/mascli/functions/save_config

@@ -32,6 +32,8 @@ export MAS_DOMAIN=$MAS_DOMAIN
 export CLUSTER_ISSUER_SELECTION=$CLUSTER_ISSUER_SELECTION
 export MAS_CLUSTER_ISSUER=$MAS_CLUSTER_ISSUER
 
+export MAS_TRUST_DEFAULT_CAS=$MAS_TRUST_DEFAULT_CAS
+
 # Additional Config Support
 export LOCAL_MAS_CONFIG_DIR=$LOCAL_MAS_CONFIG_DIR
 

image/cli/mascli/templates/pipelinerun.yaml

@@ -301,6 +301,9 @@ spec:
     - name: mas_icr_cpopen
       value: '$MAS_ICR_CPOPEN'
 
+    - name: mas_trust_default_cas
+      value: '$MAS_TRUST_DEFAULT_CAS'
+
     # MAS Workspace
     # -------------------------------------------------------------------------
     - name: mas_workspace_id

tekton/src/params/install.yml.j2

@@ -352,6 +352,10 @@
 - name: mas_annotations
   type: string
   default: ""
+- name: mas_trust_default_cas
+  type: string
+  default: ""
+  description: Optional boolean parameter that when set to False, disables the normal trust of well known public certificate authorities
 - name: mas_customize_scaling
   type: string
   default: ""

tekton/src/pipelines/taskdefs/core/suite-install.yml.j2

@@ -33,6 +33,8 @@
       value: $(params.mas_customize_scaling)
     - name: mas_manual_cert_mgmt
       value: $(params.mas_manual_cert_mgmt)
+    - name: mas_trust_default_cas
+      value: $(params.mas_trust_default_cas)
     - name: custom_labels
       value: $(params.custom_labels)
     - name: mas_add_catalog

tekton/src/tasks/suite-install.yml.j2

@@ -44,6 +44,10 @@ spec:
       type: string
       description: Optional boolean parameter that when set to True, indicates that manually created certificates will be used to certify MAS and application routes
       default: ""
+    - name: mas_trust_default_cas
+      type: string
+      description: Optional boolean parameter that when set to False, disables the normal trust of well known public certificate authorities
+      default: ""
 
     - name: mas_icr_cp
       type: string
@@ -101,6 +105,8 @@ spec:
         value: $(params.mas_upgrade_strategy)
       - name: MAS_MANUAL_CERT_MGMT
         value: $(params.mas_manual_cert_mgmt)
+      - name: MAS_TRUST_DEFAULT_CAS
+        value: $(params.mas_trust_default_cas)
 
       - name: ARTIFACTORY_USERNAME
         value: $(params.artifactory_username)